Category Archives: GDPR

Confused about your employees’ data subject access rights?

As an employer, do any of these issues sound familiar? 

  • “I am writing to make a data subject access request pursuant to the General Data Protection Regulations…”
  • ” This is a general request that relates to my personnel file and any other documents typed, handwritten or electronic records containing my name…”
  • ” I have received your response to my request, it is inadequate and has a lot of information missing…”
  • I intend to pursue a complaint with the ICO if I do not get what I want…”

Confused about your employees’ data subject access rights? Not sure about how to respond? Concerned about getting the response wrong and being reported to the Information Commissioner’s Office? Frustrated that a request will get in the way of you running your business?

If so, there is a solution!

FG Solicitors offers a proactive and practical approach, providing employers with confidence when it comes to employment and data protection law.

To find out what you CAN do please contact FG Solicitors on 0808 172 9322 for a no obligation discussion.


Tags: · · · ·



Does this sound familiar?

An employee has raised a grievance, or a former employee is threatening to launch an Employment Tribunal claim. You receive a Subject Access Request (“SAR”) from the (ex-)employee requesting a mountain of documents many of which appear to be of no relevance to the grievance or claim.

Must you comply with SAR?

Before throwing the SAR in the bin, you need to think again…
The Information Commissioner’s Office (“ICO”) has published guidance which you may find helpful in deciding whether to comply with SAR. Before doing so, you may wish to review the overall legal requirements which remain unchanged.

The recent ICO guidelines simply clarify certain aspects of the law.
When considering your response to the SAR, consider the following:

  • Is it “clearly or obviously unreasonable”?
  • What is the context in which it has been made?
  • Is the intent behind the request genuine?
  • How much management time will be required to provide the requested information?
  • What will it cost?
  • Is the (ex)employee simply trying to inconvenience the company or apply pressure on It in order, for example, to induce the company to settle a claim?

“Our legal team has seen an increase in vexation SARs over the last year and they are on the increase. Disgruntled employees are making requests as a matter of course with the sole intention of inconveniencing the employer for the purposes of financial gain.”

  • Has the information already been disclosed as a result of a previous SAR or otherwise?

Be careful if you are minded to reject the request
Just because SAR is for a considerable amount of information, and will include a lot of work, the guidelines make it clear that the SAR must be “manifestly unfounded” or “manifestly unreasonable”. Do not reject it solely on the ground that it is excessive. Instead, consider the context of the SAR, the organisation’s resources and take advice if necessary. Having done so, if the decision is made to reject all or part of the SAR because it is manifestly unfounded or excessive, keep a record of the decision-making process and your reasons for refusal. Those reasons should be set out in a letter to the individual along with a reminder of their rights to make a complaint to the ICO and to bring legal proceedings against the organisation to enforce those rights.

FGS’ legal team includes specialists in data protection and privacy law, which enables us to advise on GDPR compliance including commercial contracts, policies and procedures, data breaches, subject access requests and privacy issues.

If you require further advice about data protection, please feel free to call us on 0808 172 9322 for a no obligation discussion.

For further details about the commercial legal service and assistance we provide to businesses, please click here. 👇

This update is for general guidance only and advice should be taken in relation to a particular set of circumstances.


Last GDPR Seminar – 18 May 2018

You can now book on to our final seminar in the run up to the GDPR becoming law on 25 May 2018.  Working Time - Website

Date: 18 May 2018
Time: 12pm to 2pm
Venue: FGS Office – Northampton

Don’t miss out on the opportunity to:

  • Assess your current state of readiness and obtain useful guidance
  • Plan and execute your GDPR strategy
  • Consider approaches to achieving and maintaining GDPR compliance post implementation

We’ve had great feedback from our previous GDPR Seminars:

“A very useful overview of what is required to work towards GDPR compliance”

“Good content on a ‘not so easy to understand’ heap of information – put into a more understandable way.”

Places are limited so book your place now – e-mail:

Tags: · ·

GDPR is Fast Approaching!

The clock is undoubtedly ticking for employers as we edge ever closer to 25th May 2018 when the General Data Protection Regulation (“GDPR”) becomes law. Naturally, there will be those organisations that fail to comply with their obligations and make headlines if only through fines or strengthening a disgruntled employee’s ability to bring successful claims. But enough scaremongering!

The question on most employer’s lips is, what do we need to do to get ready? In broad summary there are 5 key steps:

  • Data mapping
  • A review of the key employment documents that touch and concern data protection
  • Training staff on policies and what to do if there is a breach
  • Dealing with Data Subject Access requests
  • Appointing a responsible person with overall knowledge and gatekeeping responsibility.

The starting point for employers is what is now referred to as Data Mapping which put simply is to look at what data is held and processed, where it comes from and for what purpose it is processed. This will enable employers to identify their legal justification for processing it.

Historically a significant proportion of employers have not really given much thought to the justification for holding the employee data that is held in their organisation preferring to rely on a clause in their standard employment contract requiring employees to give their consent to the employer using their data in whatever way they needed to. Once the GDPR is in force placing reliance on employee consent may not only prove ineffective it may also result in an onerous administrative burden for employers.

Data mapping is a worthwhile exercise for employers of any size and will lead to those employers identifying and adopting the most appropriate GDPR compliant reasons for justifying data processing within their own organisations.

The next step for employers is to review existing documents, contracts of employment, policies and procedures in the staff handbook and staff privacy notice in particular. This is to ensure that they are all GDPR compliant. It is also important to ensure that any contracts in place with third party service providers, for example, payroll services providers are also GDPR compliant.

Employers need to ensure that their employees receive training in relation to what their obligations are such as record keeping, retention of data and reporting obligations in relation to the breach of the GDPR.

The right of employees to make data subject access requests is nothing new but it is likely under the new regime that employers will see an increase in such requests. The GDPR has removed the right for employers to charge a fee save in exceptional circumstances and has also shortened the time limit within which an employer must respond to such requests from forty days currently to save in exceptional circumstances one month.

Finally in this summary, the responsible person or Data Protection Officer (“DPO”). Not all employers are required to have one but the process of deciding whether to put one in place is an important exercise for all employers to go through. If an employer chooses to have a DPO time spent in selecting the right individual will be time well spent.

Employers are well advised to get the ball rolling, there is very little time left to define and implement an effective GDPR compliant infrastructure even if the process has already started.

The Team at FG Solicitors can help you with tailored best practice HR and legal audit solutions, beginning with evaluating your current data protection framework enabling you to confidently establish a GDPR compliance roadmap. We will work with you to identify remedial action tailored to your method of operation, thus ensuring a best fit data compliance framework. Regardless of the size of your organisation, we can tailor our GDPR support services to your specific needs.


Contact us for a no obligation informal discussion.

Get GDPR ready with us


Couldn’t make it to our seminar on the 22nd February? Well, you haven’t lost out just yet! Keep an eye out for updates on our next seminar and get GDPR ready with us!

It is an acute focus on the mind to realise that there are under three months left before the General Data Protection Regulation (“GDPR”) becomes law in the UK on 25th May 2018.

What stage has your business reached in the process of operational readiness for GDPR? 

Fail to plan…. Plan to fail – GDPR is fast approaching!

The countdown to the replacement of the current Data Protection Act with the General Data Protection Regulation (“GDPR”) is now in full swing and the GDPR will become law with effect from 25 May 2018.

Early indications are that there is a lack of awareness, particularly within the SME community, of the sea change in not just structure but also attitudes that will be required to become GDPR compliant. At the very least, by now Company’s should have made the preparations for GDPR a Board level agenda item and identified a project team or project leader to evaluate the process and administrative changes that are necessary to become GDPR compliant. The responsible individuals should then create a timetable leading up to 25 May 2018 with checklists and milestones identified and agreed.


Although it is not mandatory to have in place a Data Protection Officer (“DPO”) unless you are a public authority or a Company involved in the large scale monitoring of individuals, it is certainly good practice. In short the role of the DPO is:

· to act as advisor to the organisation about its obligation to comply with the requirements of the GDPR and to provide information to its employees;

· to monitor and manage internal data processing activities to ensure compliance with the GDPR, train employees, conduct internal audits and provide guidance on impact assessments associated with data processing;

· Be the point of contact for the Information Commissioners Office (“ICO”), which is the supervising authority for the UK.

A note of caution, compliance with the GDPR is not the responsibility of any one individual but requires top down support and the awareness and engagement of Department heads, managers and individuals as to their roles and responsibilities.

Set out below are two examples of how the GDPR will change the existing law.


The data subject access right in the GDPR makes some changes to the rules on responding to a data subject access request.

Data subjects will continue to have the right under the GDPR to access personal data concerning them and to obtain information about it, including the purposes for which it is being processed, the categories of personal data concerned and any recipients of the data. Under the GDPR, the employer will have to inform the data subjects:

· of any recipients of the data in countries outside the European Economic Area and the safeguards applied on a third country transfer of data;

· the envisaged retention period for the data, or the criteria used to determine that period; and

· the data subject’s rights to request rectification or erasure of the data, to request the restriction of processing and to object to processing.

Employers, and other data controllers, will have to respond to a data subject access request ‘without undue delay’ and within one month at the latest. This can be extended by two further months where necessary, taking into account the complexity and number of requests. Under the current rules, data controllers have 40 days to respond to a request.

Data controllers will no longer be able to charge a fee for providing information in response to a data subject access request, unless the request is ‘manifestly unfounded or excessive,’ in particular because it is repetitive.

If an employer receives a request that is manifestly unfounded or excessive, it will be able to charge a reasonable fee taking into account the administrative costs of responding to the request. Alternatively, it will be able to refuse to act on the request.

Where the data subject makes a request by electronic means, the information will need to be provided by electronic means where possible, unless the data subject requests otherwise.


The GDPR amongst other things, contains provisions relating to the collection of personal data about job applicants during a recruitment process.

The new rules will apply to data obtained from the applicant or from a third party such as a recruitment agency.

Prospective employers will need to provide applicants with an information notice. This notice will need to contain certain information, including the purposes for which the data will be processed, the legal basis for processing and the period for which the data will be retained.

Employers will be able to provide the information notice on their website, and send a link or copy of the notice in correspondence to individual applicants. Where the employer advertises a post on a website owned by a third-party, it should ensure that the details of the vacancy include a link to the information notice.

Employers should retain only the minimum data required and only keep it until the relevant limitation periods for bringing potential tribunal claims have expired.

Employers who intend to keep the details of unsuccessful candidates on file for future recruitment rounds must obtain the candidates’ consent to this. Employers who keep unsolicited CVs on file for future recruitment rounds, will need to inform candidates of this in the information notice.

Job applicants will have the right not to be subject to a decision based solely on automated processing. Employers will only be able to use automated decision making if it is:

· necessary for entering or performing a contract;

· authorised by law; or

· with the applicant’s explicit consent.

Employers who use automated decision making will need to advise applicants of this in the information notice. They will also have to provide safeguards for applicants by allowing them to contest the automated decision and by giving them the right to an alternative means of making the decision using human intervention.

Employers who use recruitment agencies should satisfy themselves that the agency will implement appropriate technical and organisational measures to ensure the protection of the rights of the data subjects.

For further information and support with your GDPR compliance preparations contact FG Solicitors on 01604 871143 where a member of the team will be happy to assist.

We can help you get GDPR-ready

The team at FG Solicitors are experienced data protection experts and we can help you with tailored best-practice HR and Legal audit solutions, beginning with evaluating your current data protection framework enabling you to confidently establish a GDPR compliance roadmap.


We will work with you to identify remedial action tailored to your method of operation thus ensuring a best-fit data compliance framework. Regardless of the size of your organisation, we can tailor our GDPR support services to your specific needs. AUDIT! REMEDIATION! IMPLEMENTATION! TRAINING!

Contact us for a no obligation informal discussion.

01604 871143

Book now for the GDPR Seminar: Gather, Distribute, Process, Retain No Info

Book now for the GDPR Seminar

FGS GDPR Maze Social Media

On Thursday 22nd February, FG Solicitors will be giving businesses a chance to gain a better understanding about GDPR; a UK data protection law that will affect every business.

FG Solicitors, in line with its continuing dedicated support to employers, will be hosting a series of seminars to be held between now and the 25 May 2018 designed to support employers in ensuring that they are prepared for the significant changes that the GDPR will bring.

UK Data protection law will fundamentally change on 25th May 2018 when the current Data Protection Act 1998 is replaced by the General Data Protection Regulations (GDPR).

Now this is YOUR chance to find out what impact it will have on you as an employer and on your business.

So what can you expect at the seminar?

The seminar will focus on the application of the GDPR to employers and what they should be doing now to prepare, and in particular, will cover:

  • Key differences between the current and new data protection regimes;
  • ‘Brexit’ considerations;
  • The extended rights of data subjects under GDPR;
  • New requirements including Privacy Impact Assessments and Privacy by Design;
  • The now critical role of the Data Protection Officer;
  • The new enforcement and €20M penalties regime under GDPR; and
  • The requirement that the Data Protection Officer act as the contact point for the supervisory authority on issues related to the processing of personal data.

Floyd Graham, Principal and Founder of FG Solicitors will be the speaker of the seminar. Floyd is a dedicated employment solicitor who has practised in this area of law for over two decades providing commercially sound expertise and guidance to Employers. Floyd is considered a thinker and leading light in the employment law sphere and is a regular speaker and highly regarded commentator on the intricacies of the employer/employee relationship with a devout following.

Places are limited. To book your place please email:

Gather, Distribute, Process, Retain No Info!

3MonkeysIn terms of legal opinion on which others may place reliance it is often advisable to do away with the needle of innuendo and pick up the club of statement. In line with that adopted position, you are invited to consider the implications of the impending arrival of the General Data Protection Regulations (“GDPR”).

As the regulations have their origins in EU law, an immediate question is will they survive Brexit? The short answer is that even if the regulations do not survive intact post Brexit, the Government has confirmed that the UK will implement the GDPR when it comes into effect on 25 May 2018 because the UK will still be a member of the EU at that time.

The GDPR heralds the biggest shake up in privacy laws in 20 years and will have a seismic impact on the human resource data processing undertaken by employers and employment related entities.

There will be some fundamental changes to the current law and it is suggested that organisations need to be aware of those changes and should be actively developing a strategy for compliance ahead of the changes coming into effect in May 2018. This is especially because the cost for GDPR non-compliance has risen dramatically when compared to non-compliance with current data protection legislation, as the new fines will be based on a percentage of total annual turnover of a business in the previous financial year. It will become easier for individuals to claim compensation and group actions will be more likely.


As a minimum, the key changes for staff engagement purposes include:

Consent: No longer will it be sufficient to include in Contracts of Employment a blanket clause stating an employee is deemed to give consent to the lawful processing of their data. Instead, organisations will be obliged to demonstrate that consent has been explicitly given for each processing purpose of the data in question. Furthermore, the organisation will need to demonstrate the consent was freely given (potentially difficult in the master/servant relationship which is employment) and that the consent is “informed.” Also, the organisation will need to implement a mechanism for the withdrawal of such consent at any time.

Subject Access Requests: The information to which data subjects will be entitled under the GDPR is more extensive. The time for providing that information is reduced from 40 days to one month and there will be no longer be a right for organisations to charge a fee to provide this data.

Right to Erasure: Also known as “the right to be forgotten,” this is a new right where individuals can request that their personal data is permanently deleted in certain circumstances. This will cause organisations particular difficulties where personal files are held both centrally and locally (for example, by a line manager).

Right to Restriction: There are instances when organisations are obliged to restrict processing; this includes employee challenges to the accuracy of personal data. This could result in certain management processes being stalled.

Breach Notifications: Unless the breach is unlikely to result in a risk to the individuals concerned, organisations’ data processers will be obliged to notify the ICO of all data breaches without undue delay and, where feasible, within 72 hours of the breach.



Organisations could be forgiven for thinking that, as the GDPR implementation date (25 May 2018) is still the best part of 12 months away, and with Brexit looming, the matter can be left for now. But compliance with this legislation will require a good deal of planning and remapping of existing processes. The immediate steps for any organisation include:

  1. A comprehensive audit of existing systems and processes;
  2. Deciding whether additional personnel should be recruited to take on specific roles and responsibilities;
  3. Designing systems that will assist with GDPR compliance (including breach notification compliance);
  4. Identifying appropriate training for staff – for example, general awareness training for staff with more specific training for those with greater compliance responsibilities (including the IT Department and HR managers); and
  5. Reviewing and upgrading current Contracts of Employment and policies to manage risk.

We can undertake your audit and assist you with preparation for GDPR implementation. For a non-obligation consultation, please call a member of our team on 01604 871143 or email us on